A phishing attack targeting PET Imaging’s parent company exposed sensitive patient health and financial information across multiple U.S. locations.
PET Imaging of Houston was one of several facilities affected by a cyberattack on its parent company, Integrated Oncology Network (ION). Between December 13 and 16, 2024, unauthorized parties accessed employee email and SharePoint accounts through a phishing scheme. While the intrusion appeared to be directed at expanding the phishing campaign, certain emails and files containing sensitive patient data were exposed during the breach.
The breach affected at least 15,940 individuals across PET Imaging facilities in Texas, Oklahoma, and Colorado. Impacted data included personally identifiable information (PII) and protected health information (PHI), such as names, addresses, Social Security numbers, diagnosis details, lab results, and insurance information.
The compromised data included a wide range of sensitive patient records: dates of birth, financial account numbers, medication history, provider names, and treatment dates. The affected facilities include:
ION completed a detailed review of the exposed material and began notifying patients by U.S. Mail on June 27, 2025. The incident was reported to both the Texas Attorney General’s office and the U.S. Department of Health and Human Services.
ION responded by launching a forensic investigation, reviewing all affected files and emails, and notifying impacted patients. A dedicated call center was also set up to provide further support. ION has implemented enhanced cybersecurity training to help staff better identify and respond to phishing threats in the future.
Patients are encouraged to remain cautious and check their medical and financial records for any unauthorized activity. Those whose Social Security numbers were exposed may want to monitor their credit or consider placing a fraud alert.
The PET Imaging breach shows how a brief compromise of an employee email account can expose large volumes of patient data. Attackers accessed the system over a two-day period, during which protected health information, including medical and insurance details, was at risk. While the organization contained the incident and began notifying affected individuals, the case raises questions about how quickly such breaches are detected and whether existing safeguards are sufficient to prevent unauthorized access through phishing.
SharePoint is a Microsoft collaboration tool often used for storing and sharing files within organizations. In this case, compromised SharePoint accounts contained sensitive patient data, expanding the breach beyond just email.
After containing the breach, ION had to conduct a detailed forensic review to identify what data was accessed and who was affected, which can take significant time due to the volume of records and privacy considerations.
Patients should monitor insurance and medical billing statements for unusual activity, consider credit monitoring, and be alert for phishing emails or calls referencing the breach.
Patients may be eligible to join class-action lawsuits related to the breach. Legal resources are often provided in the official notification letters or on law firm websites representing affected individuals.
ION has expanded staff training on phishing threats and reviewed internal processes to strengthen prevention, detection, and response to similar incidents in the future.